rework: multi-stage Dockerfile lint/build/runtime pattern

Rewrites CI to use a multi-stage Dockerfile per REPO_POLICIES:

- Lint stage: golangci/golangci-lint:v2.1.6-alpine runs make fmt-check
  and make lint
- Build stage: golang:1.24.4-alpine runs make test, then builds binary
  with CGO enabled (required for mattn/go-sqlite3)
- Runtime stage: alpine:3.21 copies binary, runs as non-root user

All base images pinned by @sha256 hash.

CI workflow simplified to just 'docker build .' since the Dockerfile
already runs make check (fmt-check + lint + test).

Makefile aligned with REPO_POLICIES:
- check target uses prereqs (fmt-check lint test)
- fmt-check is read-only (gofmt -l, not go fmt)
- Added docker and hooks targets
- test uses -race -timeout 30s

Added .dockerignore for efficient build context.

.gitea/workflows/check.yml

@@ -8,15 +8,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
-        with:
-          go-version-file: go.mod
-      - name: Install system dependencies
-        run: |
-          sudo apt-get update -qq
-          sudo apt-get install -y -qq sqlite3
-      - name: Install golangci-lint
-        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/5d1e709b7be35cb2025444e19de266b056b7b7ee/install.sh | sh -s -- -b "$(go env GOPATH)/bin" v2.10.1
-      - name: Run checks
-        run: make check
+      # actions/checkout v4, 2024-09-16
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - name: Build and check
+        run: docker build .